Detect Cloud Application Integration in Splunk
This detection identifies adversaries achieving persistence in SaaS environments by abusing OAuth application integrations. Attackers register malicious applications, hijack existing integrations, or consent to adversary-controlled apps from high-privileged accounts to maintain access even after account compromise or password resets. Detection focuses on anomalous OAuth consent grants, new application registrations, service principal creation, and permission escalation events in Microsoft 365, Azure AD/Entra ID, and Google Workspace environments. Particular attention is paid to admin consent grants for high-privilege scopes, application registrations from non-admin users, and OAuth grants that occur outside normal business workflows.
MITRE ATT&CK
- Tactic
- Persistence
- Technique
- T1671 Cloud Application Integration
- Canonical reference
- https://attack.mitre.org/techniques/T1671/
SPL Detection Query
index=* (sourcetype="o365:management:activity" OR sourcetype="azure:aad:audit")
| search Operation IN (
"Consent to application",
"Add application.",
"Add service principal.",
"Add OAuth2PermissionGrant.",
"Add delegated permission grant.",
"Update application.",
"Add app role assignment to service principal.",
"Add app role assignment grant to user."
)
| eval actor = coalesce(UserId, 'Actor{}.ID', ClientIP)
| eval target_app = coalesce(ObjectId, 'Target{0}.ID')
| eval modified_props = 'ModifiedProperties{}'
| eval permissions_raw = mvjoin(modified_props, "|")
| eval is_admin_consent = if(match(permissions_raw, "AllPrincipals"), "true", "false")
| eval high_priv_perms = if(
match(permissions_raw, "Mail\.Read|Mail\.ReadWrite|Files\.Read\.All|Files\.ReadWrite\.All|Directory\.ReadWrite\.All|RoleManagement\.ReadWrite|Application\.ReadWrite\.All|full_access_as_app|User\.Read\.All"),
"true",
"false"
)
| where is_admin_consent="true" OR high_priv_perms="true" OR Operation IN ("Add application.", "Add service principal.")
| eval risk_score = case(
is_admin_consent="true" AND high_priv_perms="true", "Critical",
is_admin_consent="true", "High",
high_priv_perms="true", "High",
true(), "Medium"
)
| stats
count AS event_count,
values(Operation) AS operations,
values(permissions_raw) AS granted_permissions,
min(_time) AS first_seen,
max(_time) AS last_seen,
values(ClientIP) AS source_ips
BY actor, target_app, is_admin_consent, high_priv_perms, risk_score
| eval first_seen=strftime(first_seen, "%Y-%m-%d %H:%M:%S"),
last_seen=strftime(last_seen, "%Y-%m-%d %H:%M:%S")
| sort - risk_score, - event_count
| table first_seen, last_seen, actor, target_app, operations, granted_permissions, is_admin_consent, high_priv_perms, risk_score, event_count, source_ipsDetects malicious OAuth application consent events and application registrations in Microsoft 365 and Azure AD by searching Office 365 Management Activity logs for admin consent grants and high-privilege permission assignments. Flags events involving sensitive permission scopes and provides risk scoring based on consent type and permission sensitivity.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Enterprise IT teams performing bulk application consent during Microsoft 365 tenant migrations or onboarding
- Authorized third-party security vendors (CASB, email security gateways) requiring broad mail or directory permissions
- Developer accounts in non-production tenants registering test applications with elevated scopes for integration testing
- Microsoft-published applications (Teams apps, Compliance Center) requesting permission scope updates during product updates
- Managed service providers performing delegated administration tasks on behalf of client organizations
Other platforms for T1671
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Register Malicious OAuth Application in Azure AD
Expected signal: AuditLogs entries: OperationName='Add application' and OperationName='Add service principal' with the new App ID in TargetResources. OperationName='Add delegated permission grant' showing Graph API permission additions.
- Test 2Grant Admin Consent to Existing Application via PowerShell
Expected signal: AuditLogs: OperationName='Add OAuth2PermissionGrant' with ConsentType='AllPrincipals' and Scope containing 'Mail.Read'. InitiatedBy will show the Global Administrator account. ResultType should be 'Success'.
- Test 3Add Client Secret to Existing Service Principal for Persistent API Access
Expected signal: AuditLogs: OperationName='Add password to service principal' with the target App ID in TargetResources and the credential display name 'AtomicTest-PersistentSecret'. AADSignInLogs: Service principal sign-in using client_credentials grant type showing the App ID authenticating to Microsoft Graph.
References (9)
- https://attack.mitre.org/techniques/T1671/
- https://pushsecurity.com/blog/saas-persistence-techniques/
- https://saasattacks.com/evil-twin-integrations
- https://www.wiz.io/blog/midnight-blizzard-microsoft-breach-2024
- https://www.microsoft.com/en-us/security/blog/2022/09/22/malicious-oauth-applications-used-to-compromise-email-servers-and-spread-spam/
- https://www.huntress.com/blog/microsoft-365-oauth-phishing
- https://pushsecurity.com/blog/slack-persistence/
- https://learn.microsoft.com/en-us/entra/identity-platform/app-objects-and-service-principals
- https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/configure-admin-consent-workflow
Unlock Pro Content
Get the full detection package for T1671 including response playbook, investigation guide, and atomic red team tests.